W32/Kassbot-V is a worm and IRC backdoor Trojan for the Windows platform.
W32/Kassbot-V spreads to other network computers by exploiting common buffer overflow vulnerabilities, including: SRVSVC (MS06-040), Psyme, PNP (MS05-039) and ASN.1 (MS04-007) and by copying itself to network shares protected by weak passwords.
W32/Kassbot-V runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.
W32/Stration-D is a mass-mailing worm and backdoor Trojan for the Windows platform.
W32/Stration-D spreads by sending emails with itself as an attachment to email addresses harvested from the Windows Address Book (WAB). Emails sent by the worm have the following characteristics:
Subject line chosen from:
Mail Delivery System
Mail Transaction Failed
Message text chosen from:
'Mail transaction failed. Partial message is available.'
'The message contains Unicode characters and has been sentas a binary attachment.'
'The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.'
The worm is included as a file attachment. The file attachment filename starts with one of the following names:
The filenames have a double file extension, with a large number of spaces between the two file extensions. For instance, a typical filename might be:
The second file extension is usually a format ending with the names .BAT, .PIF, .CMD, .EXE or .SCR.
W32/Stration-D includes functionality to:
- communicate with a remote server via HTTP
- disable anti-virus and other security related software